{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6582", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-19T05:40:42.538Z", "datePublished": "2026-04-19T22:45:11.780Z", "dateUpdated": "2026-04-20T14:06:22.007Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-19T22:45:11.780Z"}, "title": "TransformerOptimus SuperAGI Vector Database Management Endpoint vector_dbs.py get_vector_db_details missing authentication", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-306", "lang": "en", "description": "Missing Authentication"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "Improper Authentication"}]}], "affected": [{"vendor": "TransformerOptimus", "product": "SuperAGI", "versions": [{"version": "0.0.1", "status": "affected"}, {"version": "0.0.2", "status": "affected"}, {"version": "0.0.3", "status": "affected"}, {"version": "0.0.4", "status": "affected"}, {"version": "0.0.5", "status": "affected"}, {"version": "0.0.6", "status": "affected"}, {"version": "0.0.7", "status": "affected"}, {"version": "0.0.8", "status": "affected"}, {"version": "0.0.9", "status": "affected"}, {"version": "0.0.10", "status": "affected"}, {"version": "0.0.11", "status": "affected"}, {"version": "0.0.12", "status": "affected"}, {"version": "0.0.13", "status": "affected"}, {"version": "0.0.14", "status": "affected"}], "cpes": ["cpe:2.3:a:superagi:superagi:*:*:*:*:*:*:*:*"], "modules": ["Vector Database Management Endpoint"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function get_vector_db_details of the file superagi/controllers/vector_dbs.py of the component Vector Database Management Endpoint. Executing a manipulation can lead to missing authentication. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-19T07:45:54.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Eric-z (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358217", "name": "VDB-358217 | TransformerOptimus SuperAGI Vector Database Management Endpoint vector_dbs.py get_vector_db_details missing authentication", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358217/cti", "name": "VDB-358217 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/791072", "name": "Submit #791072 | SuperAGI up to c3c1982 Missing Authentication for Critical Function (CWE-306)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/YLChen-007/f38b32a9cd0c9722e04a716ca4dbf9d5", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:04:04.699121Z", "id": "CVE-2026-6582", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:06:22.007Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "TransformerOptimus SuperAGI Vector Database Management Endpoint vector_dbs.py get_vector_db_details missing authentication", "credits": [{"lang": "en", "type": "reporter", "value": "Eric-z (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:superagi:superagi:*:*:*:*:*:*:*:*"], "vendor": "TransformerOptimus", "modules": ["Vector Database Management Endpoint"], "product": "SuperAGI", "versions": [{"status": "affected", "version": "0.0.1"}, {"status": "affected", "version": "0.0.2"}, {"status": "affected", "version": "0.0.3"}, {"status": "affected", "version": "0.0.4"}, {"status": "affected", "version": "0.0.5"}, {"status": "affected", "version": "0.0.6"}, {"status": "affected", "version": "0.0.7"}, {"status": "affected", "version": "0.0.8"}, {"status": "affected", "version": "0.0.9"}, {"status": "affected", "version": "0.0.10"}, {"status": "affected", "version": "0.0.11"}, {"status": "affected", "version": "0.0.12"}, {"status": "affected", "version": "0.0.13"}, {"status": "affected", "version": "0.0.14"}]}], "timeline": [{"lang": "en", "time": "2026-04-19T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-19T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-19T07:45:54.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/358217", "name": "VDB-358217 | TransformerOptimus SuperAGI Vector Database Management Endpoint vector_dbs.py get_vector_db_details missing authentication", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358217/cti", "name": "VDB-358217 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/791072", "name": "Submit #791072 | SuperAGI up to c3c1982 Missing Authentication for Critical Function (CWE-306)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/YLChen-007/f38b32a9cd0c9722e04a716ca4dbf9d5", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function get_vector_db_details of the file superagi/controllers/vector_dbs.py of the component Vector Database Management Endpoint. Executing a manipulation can lead to missing authentication. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "Missing Authentication"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "Improper Authentication"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-19T22:45:11.780Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6582", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:04:04.699121Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-20T14:05:58.111Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-6582", "state": "PUBLISHED", "dateUpdated": "2026-04-19T22:45:11.780Z", "dateReserved": "2026-04-19T05:40:42.538Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-19T22:45:11.780Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function get_vector_db_details of the file superagi/controllers/vector_dbs.py of the component Vector Database Management Endpoint. Executing a manipulation can lead to missing authentication. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6582", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-19T23:16:34.080", "references": [{"source": "cna@vuldb.com", "url": "https://gist.github.com/YLChen-007/f38b32a9cd0c9722e04a716ca4dbf9d5"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/791072"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358217"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358217/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-306"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.6"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.7"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.8"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.9"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.10"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.11"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.12"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.13"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.0.14"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "SuperAGI", "source": "cna", "vendor": "TransformerOptimus"}, "product": "superagi", "vendor": "transformeroptimus"}], "analysis": {"en": {"generated_at": "2026-04-20T00:50:39.954662+00:00", "value": {"mitigation_remediation": ["Check the vendor's website or repository for an updated release that addresses the missing authentication issue in get_vector_db_details and upgrade SuperAGI to version 0.0.15 or later.", "Implement network\u2011level controls to restrict access to the Vector Database Management Endpoint, allowing only trusted IPs or internal networks to reach it.", "Add authentication and authorization to the endpoint, for example by requiring an API key or OAuth token before returning database details.", "If the endpoint is not required for the deployment, disable or remove the vector_dbs API route entirely."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized retrieval of vector database details"}, "threat_synthesis": {"affected_systems": "The issue affects TransformerOptimus SuperAGI versions up to and including 0.0.14. The affected component is the vector_dbs.py controller in the superagi package.", "description_and_impact": "The flaw resides in the get_vector_db_details function of the Vector Database Management Endpoint in TransformerOptimus SuperAGI. The endpoint performs no authorization checks, allowing any remote user to obtain detailed information about vector databases managed by the system. This vulnerability allows an attacker to retrieve database details without authentication.", "risk_and_exploitability": "The CVSS score is 6.9, indicating a medium severity. The vulnerability is not listed in CISA KEV. The exploit is documented and can be executed remotely, allowing attackers to trigger the endpoint from outside the network. As the vendor has not released a patch, exposed installations face a higher risk."}}}}, "created": "2026-04-20T01:00:09.279907+00:00", "updated": "2026-04-20T14:58:33.050200+00:00", "vendors": ["transformeroptimus", "transformeroptimus$PRODUCT$superagi"]}